Nov 12 2019 07:21 AM
What is the future of On-Prem Active Directory/ Active Directory Directory Services? Azure AD does not have the capabilities to do what AD/ADDS does and Azure AD does not work in environments where you cannot expose the systems to the internet. With Microsoft's push for hybrid everything. A large amount of important items are getting left behind.
Dec 01 2019 10:43 PM
This is the most current guidance I can find. It's rather general in nature but is also the only relatively current authoritative advice I can find.
My takeaway from this article is that on-premise AD isn't going anywhere (yet) even if they do have a shift in focus towards Azure AD as the supposed control plane (which I'm not on board with yet from technical parity and data governance perspectives).
I would imagine that there's numerous large organisations - both government and private - that have the same requirements as you (whatever they may be, as part of your "large amount of important items" statement).
Cheers,
Lain
Feb 25 2020 05:51 AM
Hi, the link you shared just links back to this page. Please can you share the article to which you were referring?
Thanks
Feb 25 2020 05:29 PM
Oh! That's embarrassing! Clearly a copy-and-paste fail there.
I've done a quick bit of searching and can't find any articles that ring any bells, however, I vaguely recall that it spoke to the ongoing need for Active Directory for large enterprise customers who are expected to remain hybrid for the foreseeable future.
I'll keep looking for that "authoritative" post I claim to have found, but in the meanwhile, here's some (highly-opinionated, but experiential all the same) additional concerns I've got where the marketing rhetoric doesn't match the on-the-ground deliverables.
The first is aimed squarely at Graph, since this is how Azure AD and many other Azure-centric Microsoft services are being exposed.
My biggest issues with Graph are that:
Point 2 reflects limitations of Azure AD itself when compared to on-prem Active Directory, however, Graph has more issues. The multi-valued attributes is a good example where, technically, Azure AD does indeed handle them properly but it let down by Graph, which doesn't surface them in the JSON response, leaving things like often-asked for features like using multi-valued attributes in dynamic licencing groups still out of reach.
This - for me - raises questions around the overarching Azure strategy which is further evident in the availability of no less than three Azure AD PowerShell modules. I feel like what we're getting as enterprise customers is a "make it up as you go" Agile-based approach to product development that's delivering a lot of new - and potentially nice - features, but poorly thought through and executed with a great many holes in the implementation.
Bringing the discussion back to Active Directory for a moment, I've listened to some people saying there's no further development planned and that's evidence of it's limited future. This to me only serves to demonstrate their lack of understanding of a directory service's obligation, which is firstly to act in accordance with the relevant standards, and from a practical perspective, deliver on its purpose which is to provide authorisation services. Additional roles and features were always a vendor add-on designed to benefit the customer, but you have to ask yourself, what more do I need from a directory service?
In that context, I don't really feel that further development of the service has really been all that important for at least the last decade. I think this is somewhat reflected in the schema changes from Server 2012 onwards where by and large, the only changes have largely been to facilitate cloud integration. To me, this is an acknowledgement that not much more could be added to the directory service itself.
Shifting contexts for a minute, on-premise Active Directory (or any other directory service, really) has tremendous value - when paired with a formal identity management strategy - in the context of handling on-boarding and offloading (think merger and divestment-like activities) where it's quite possible the external entity is not positioned well for integrating natively with Azure AD.
Lastly, but importantly, from a data governance perspective - particularly sovereignty as a subtopic; you're implicitly operating at a higher level of risk in storing your entire identity data set in Azure AD (or any cloud-based alternative) rather than just the operational metadata that if compromised might be embarrassing, but not in breach of legal frameworks such as your country's legislation (which we're seeing an increasing amount of here in Australia in the past five years).
This all reads like a lot of naysaying and that isn't deliberate for my part. I think Azure (and the other cloud platforms) is a wonderful tool that could use a good deal of love in playing catch-up to important feature parity with on-premise Active Directory as well as other on-premise products.
Where I diverge from the marketing fluff is that it is just that: a valuable tool in your arsenal that when adopted strategically can improve service delivery (including the over-touted, poorly understood "digital transformation"), not a panacea where wholesale adoption makes sense when considering your legal and commercial requirements. That I've seen a couple of clients back out from the cloud seems to lend some credibility to that observation (though I only have superficial awareness of the "whys" in those cases - I think OpEX cost was actually a prominent component).
I'd love to do more with Azure - particularly via Graph which enjoys good support from all the key identity management system vendors, but it's simply not mature enough to be all-encompassing when compared to the benefits from a hybrid approach.
Cheers,
Lain
Mar 03 2020 07:51 PM
Hi Sally,
I can't find the exact article I referred to earlier, but to take a couple of extracts from Microsoft's current guidance on docs.microsoft.com:
From Define a hybrid identity adoption strategy, under "Define an integration strategy":
From What is hybrid identity with Azure Active Directory?
I know what you're hoping to see is some form of hard end date (if one were to exist) for Active Directory, but I haven't seen or heard of such a thing in discussion. Even were it to be formally announced, it would take years upon years to effect and customers with high risk and compliance (governance) requirements - sovereignty is a common subtopic - would be at great risk of moving platforms entirely.
The fact that Microsoft has an integration strategy (as per the first article that outlines the current three-pronged approach to integration) recognises this and reinforces the notion that on-premise Active Directory (amongst a great many other things in the application space) is still very current and relevant.
Don't be misled by CSPs (Cloud Solution Providers) who would have you believe that Azure is exclusively the future as there are commercial motivators behind such rhetoric. The reality is quite different. It's also important to explicitly state that once you are integrated, you can adopt new cloud features as they're released just as readily as a "cloud only" customer. You are not going to "miss out".
Ultimately, you can come up with some amazing customer solutions/strategies through integrating on-premise services and applications (Active Directory being just one service) with the cloud (Microsoft and others). Nothing is forcing/advising you (CSPs aside) to limit your options through becoming a cloud-only organisation.
Cheers,
Lain
May 29 2020 06:06 AM
@Steskalj @Lain Robertson @SallyWeston
Thank you, guys, i really enjoyed this conversation.
May 29 2020 06:14 AM
@Lain Robertson From what I heard at ignite 2019, and from a few others. It sounds as if Microsoft is going to bring all the features of on-prem AD to Azure AD in the future. Since there is nothing like nested groups, ou, group policy, kerberos auth, etc ... in Azure AD. Hell, ADDS is the recommended way of setting up machine auth for Linux boxes in Azure. I see the two growing together to be one eventually. I just hope the on-prem keeps parity with the cloud version
Jun 05 2020 05:52 AM
Apr 18 2021 09:54 AM
@Steskalj given the fact there is no new Feature Level in AD DS on-premises, one could say AD DS is death. On the other hand there are a lot of things that cannot run only in Azure with Azure AD. Just for example it does not allow Kerberos.
This does not mean one has to have something on-premises. Ofc there is Azure Active Directory Services that fills this functional gap.
Even if the strategy of MSFT is hybrid, it does not mean that you have to use hybrid if you are not allowed.
Some are discussing Azure Goverment compliant cloud in Azure, yet there are IT departments that have a zero cloud strategy. Marketing calls this private cloud :) just to include them.
Some of our customers are exactly in that boat and so far, even if they cannot achieve the latest they still can work on-premises only.